Binary Exploitation: Crashes and Buffer Overflows

Cool Security People of the Day (CSPoD)

Understanding code even when not intended:
- Requires in-depth thinking.
- Tools used include Disassembler/Ghidra and Pwntools.

Last session covered crackmes, focusing on input manipulation to solve code.
Now shifting focus to exploiting bugs:
- Examples of code with potential bugs include buffer overflows.

Importance of "memory safety":
- Languages like Go and Rust emphasize memory safety.
Common causes of undefined behavior include:
- Writing past array bounds.
- Integer overflow.
- Double freeing memory.
- Use after free.
- Uninitialized memory usage.
- Buffer overflow.

Occur when too much data is read into a buffer.
Examples of buffer overflow vulnerabilities:
- Using gets() for input.
- Using scanf("%s", buf) without size limits.
Real-world example: Morris worm exploited gets() function.

Goal: Gain RCE by manipulating code execution.
Technique: ret2win (return to win) to redirect execution to chosen functions.
Example Program: #include <stdio.h> #include <string.h> #include <stdlib.h> void win() { printf("How did you get here? I don't know whether to hire or fire you..."); execve("/bin/sh", 0, 0); } void main() { char buffer[32]; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); printf("Welcome to Paperclip Mill NLC job portal. Why should we hire you? "); gets(buffer); printf("Thanks, we received your input: %s\n", buffer); }
Compile with gcc pwnme.c -o pwnme -fno-stack-protector -no-pie.

Data storage formats:
- Big endian: stores most significant byte first.
- Little endian: stores least significant byte first.

Topics to cover include shellcode, handling absence of win functions, ASLR, and leaks.